NTP feature request for pihole-FTL v6

jpgpi250 · July 1, 2024, 12:41pm

my firewall (pfsense) is also the ntp server

nslookup 192.168.2.251
251.2.168.192.in-addr.arpa      name = pfsense.internal.

query ntp , using dns name: sudo pihole-FTL ntp pfsense.internal

Using NTP server: pfsense.internal
........
Received 8/8 valid NTP replies from pfsense.internal
Time offset: -2.449751e-02 ms (excluded 0 outliers)
Round-trip delay: 6.278753e-01 ms (excluded 0 outliers)

query ntp, using IP address:

Using NTP server: 192.168.2.251
........
Received 8/8 valid NTP replies from 192.168.2.251
Time offset: 1.514554e-01 ms (excluded 0 outliers)
Round-trip delay: 5.137920e-01 ms (excluded 0 outliers)

There is no indication time is actually synchronized (the NTP daemon uses a return value (zero), chrony uses "200 OK" return message), hence the request, pihole-FTL, without sudo if possible, should give an indication time is synchronized, no log parsing should be required.

I've been using these return values to inform dnsmasq (pihole-FTL) time is synchronized (SIGINT)

pid=$(ps -e | grep 'pihole-FTL' | awk '{print $1}')
/bin/kill -2 $pid

see dnsmasq man

--dnssec-no-timecheck
DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records which have not been thoroughly checked.

does pihole-FTL, the NTP part, automatically informs time is now synchronized, thus DNSSEC validation is now required, or is the above code still valid?

second request: would it be possible to provide a toml option to disable the ntp feature of pihole-FTL entirely?

DL6ER · July 1, 2024, 3:32pm

only if `--update`` is appended, time synchronization is tried.

It does. The exit code 0 means time is "correct" in the sense of deviation is less than 0.1 seconds:

github.com/pi-hole/FTL

src/ntp/client.c

1e4190229


      
          	// Offset and delay larger than 0.1 seconds are considered as invalid
          	// during local testing (e.g., when the server is on the same machine)
          	return theta_avg < 0.1 && delta_avg < 0.1;

pihole-FTL can do this internally now but only in the new branch tweak/ntp_delay, not yet in development-v6:

https://github.com/pi-hole/FTL/pull/2004

On this branch, the code you quoted won't be necessary.

It is already there. Check out the new ntp section in pihole.toml. You have dedicated options to disable both the NTP servers for IPv4 and IPv6 as well as the client: